15.2.8.1 HSM Hardware Modules used by SPPS

SPPS uses nShield Edge (Figure 15-45) and nShield Solo (Figure 15-46) hardware security modules (HSMs) manufactured by Thales. Both modules carry a FIPS140-2 Level 3 security certificate.

nShield Edge is a USB-attached module.

Figure 15-45. nShield Edge HSM Module

nShield Solo is PCIe-based, and can be installed on regular and compact size PC boxes with a PCIe port.

Figure 15-46. nShield Solo HSM Module

nShield Edge HSMs have an integrated smart card reader. The included card reader for nShield Solo HSMs is external.

In performance, nShield Solo surpasses nShield Edge. nShield Solo is optimal for use in U‑HSM for performance-intensive programming Authentication Code and one-time passcode generation. nShield Edge is optimal for use in M‑HSM for handling lightweight bit stream generation operations. From the software and setup perspective, both the modules are interchangeable, and module type selection is typically based on specific use conditions and the size of the SmartFustion2/IGLOO2 devices they serve.

The HSM module has standard Thales-provided cryptographic algorithms and can execute custom algorithms within the security boundaries provided by the HSM module.

The HSM module has limited internal nonvolatile memory size for storing the module initiater key and Job Ticket information such as Ticket binding data, overbuild protection data, so on. All other information that requires protection by HSM is stored on the hard disk of the host PC.

For more information about nShield Edge and nShield modules, see the nShield Edge Solo User Guide from Thales.